Hello everybody, I'm a network admin in a small company. I'm in charge of modernizing the firewalls, two very old linux boxes with iptables.

Now, I could just go and install some CentOS with iptables and relax with a cup of coffee while my boss looks approvingly, or I could go with new (for me) and sexy powerfull pf on OpenBSD that i fell in love with. I'm going for the second option

So, as part 1 of my plan I have been researching all I can on pf, as a practice installed OpenBSD on a small machine and tried to write my pf.conf. Once done i tried to swap this small firewall we have that has nat and forwards ldap and port 8080 to 2 different machines in preparation for the big changes. It doesn't work

I humbly ask for some guidance as I kinda have a deadline for this of 2 weeks and I'm stuck.

The network is like this:
Isp router forwards all ports to rl0 interface (192.168.0.9, then the nfe0 iface (192.168.200.151) goes to the servers network.

Hello everyone. After thinkering with pf and reading all the pf stuff i could find i got a ruleset working for my conf.

My only problem is that i can only reach the services behind the pf box if i use the same machine as a gateway for the box that is running those services, something that unfortunatelly can't be done.

At the minute I have 2 routers from my ISP with 8 public ip's each, one of them being 192.168.0.1 and the other is 192.168.10.1.
The .0.1 router uses NAT for his 8 public ip's and .10.1 routes his 8 public ip's to a single iptables based firewall, with if_ext 192.168.10.5 and if_int 192.168.200.25.

My pf box is behind one of the nat adresses, and everything seems to be fine if i use it as gw for all the boxes i i redirect ports to. The problems arises when i redirect ports to a box that has gw 192.168.200.25.

For example, lets say i have 192.168.200.93 as the www server, the pf box is 192.168.200.152 If i have set .200.93 gateway as .200.152 (the pf box) everything works and i can access the www server from outside with no problems.
Now, if that gateway gets changed to the .200.25 box it won't.

What is eating me is that this configuration does work for other machines if i use iptables, so i'm sure it's my pf configuration.

Here is it:

Code:

#interfaces
ext_if="rl0"
int_if="nfe0"
#ftp
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
#networks
lan="192.168.200/24"
ip="public ip"
#services pf box
servicios_tcp="{domain}"
servicios_udp="{domain}"
servicios_icmp="echoreq"
# internal server
serv_ip="192.168.200.93"
servicios_serv="{ldap,smtp,www,https,imaps}"
#block policy and log
set block-policy return
set loginterface $ext_if
set skip on {lo enc0}
#scrub in all #commented due to testing
block in log all
pass out keep state
pass quick on { lo }
antispoof quick for { lo $int_if }
pass in quick log on $int_if
#nat
match out log on egress from $int_if:network to any nat-to (egress) #test nat
match in log on $ext_if proto tcp from any to any port 80 rdr-to $serv_ip port 80
match in log on $ext_if proto tcp from any to any port 443 rdr-to $serv_ip port 443
pass in on $ext_if inet proto tcp from any to ($ext_if) port $servicios_tcp keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $servicios_udp keep state
pass in inet proto icmp all icmp-type $servicios_icmp keep state
synproxy state
pass in on $ext_if proto tcp from any to any port $servicios_serv flags S/SA synproxy state